Verifying signature of locally installed tools.jar fails

[siepkes]

Summary

The parent POM specifies the locally installed tools.jar should be used (which is a good thing). However verifying the PGP signature fails unless you have the exact version which is specified in the hosted trustedkeys.properties file.

It is impractical to specify a signature for all possible tools.jar JAR's. Even if we would do so there is an other problem we would bump into; The same versions of tools.jar can have different signatures. For example I use CentOS 7.4 which uses an OpenJDK version build by the CentOS project. However the same version by Ubuntu will probably have a different signature because for example the MANIFEST.MF file contains the version of the JDK used to create the tools.jar JAR.

Since tools.jar is part of the JDK installation I think verifying integrity of tools.jar is out of scope for the WrenSecurity project; It's something the distribution takes care of by using signed packages. If tools.jar is compromised the compiler or Maven itself might be compromised as well.

Steps

1. checkout Wren:DS (or any Wren project that inherits from wrensec-parent)
2. Verify you use a different JDK version then is specified for tools.jar in trustedkeys.properties.
3. run mvn clean install in the root of the checked-out project.

Expected

Project builds without issue.

Current

Build fails with the follwoing error:

[ERROR] Failed to execute goal com.github.s4u.plugins:pgpverify-maven-plugin:1.2.0-SNAPSHOT:check (default) on project opendj-config: No signature for com.sun:tools:jar:1.8.0_144 -> [Help 1]

Workarounds

• mvn -Dignore-artifact-sigs clean install works, but that completely skips PGP verification of artifacts (less secure).

[Kortanul]

@siepkes two comments (because I ran into this, too, back when I was getting Wren:DS builds going):

• there's a command called sign-tools-jar that's part of https://github.com/WrenSecurity/wrensec-deploy-tool for this use case. however, you'd need the Wren signing key to deploy the GPG sig for your tools.jar. let's sync-up on Gitter because it's probably time I share the key with someone other than me.
• I filed this related ticket upstream back in early sept. https://github.com/s4u/pgpverify-maven-plugin/issues/21.

[Kortanul]

one other question -- is there an environment variable we can tap into to get the flavor of the JDK? if so, we can include that in the version string. previously, the POM wasn't even depending on a specific version of the tools.jar; I made it more specific so we could at least differentiate between major and minor versions. we could add the distribution name in that version as well, and then we'd only have to publish sigs as users run into versions we don't yet have a sig for.

alternatively, we could submit a PR to pgpverify that adds an option to skip verification of provided artifacts.

[siepkes]

@Kortanul I think it might be best we provide an option to skip verification all together of tools.jar. There are just too many flavors. All Linux distro's will have a different signature due to a timestamp in the manifest.

Also I think verification of the integrity of the JDK is something that falls out of our scope and in the scope of the OS installation / Distro. In theory someone might just as well have rigged someone's Maven, javac or OS kernel to inject bad code in to the wren build.

[Kortanul]

@siepkes #8 should address this for you based on master. Since a lot of FR projects depend on older versions of the parent POM, I have fixed our copies of artifacts to also use the new version so that tools.jar does not fail.